Restore topic to revision:
You will be able to review the topic before saving it to a new revision
Copy text and form data to a new topic (no attachments will be copied though).
Name of copy: Allow non WikiWord name You will be able to review the copied topic before savingRename/move topic...
scans links in all public webs(recommended)Rename/move topic...
scans links in CBI_ComputerSecurity web only
Delete topic...
scans links in all public webs(recommended)Delete topic...
scans links in CBI_ComputerSecurity web only

[X] Hide this message. Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the Universitys Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu

AS/400

The Application System/400 (AS/400) was a "mid-range" family of IBM computers meant for small and intermediate-sized companies.(1) Introduced in 1988, the AS/400 replaced the System/38, while featuring compatibility with IBM's successful System/36 line of minicomputers.(2)(3)

Developed internally at IBM, the AS/400 originally included six processor models, and doubled the performance of the System/38 line it replaced.(4) In 1995 the AS/400 line moved from a custom, 48-bit IBM CISC CPU architecture, to a 64-bit POWER-based RISC CPU, which increased the address space. With more than 1,000 software packages released upon its launch, the AS/400 became a popular business system. "During 1998, IBM (delivered) an AS/400 to a customer every 12 minutes of every workday."(5)(6)(7) In 2000, the AS/400 was renamed as the iSeries, which remains in production with around 400,000 installations.(8)

The AS/400 originally shipped with three levels of security -- levels 10, 20, and 30 -- with level 10 providing no security, 20 requiring users to sign-on with a password, and level 30 giving differential levels of access, depending upon the user's permission level for accessing resources. Level 30 was the minimum level of security IBM recommended for users. IBM subsequently added levels 40 and 50, with level 40 restricting the range of instructions users and programs were allowed to use, depending upon the class-level of the user and program. Level 50, announced with OS/400 V2R3, added additional features to meet the NSAC2 certification standard, including "discretionary," need-to-know protection for system resources.(9)

A 2008 article from ISACA outlined several security features of the AS/400 and System i. One security strength of the i5/OS at the time was its object-based architecture, which made it "extremely resistant" to viruses. The i5/OS identified "programs" that were valid to be executed and distinguished these from "files" which were not valid. A number of security weaknesses -- routinely observed during in-field security audits -- could be traced to inattentive or sloppy practices by systems administrators. In a typical system installation, for instance, fully ten percent of users were granted the most powerful of eight special security authorities, giving each of these users root- or administrator-level access to the system. The most-common password setting permitted a maximum password length of just 10 upper case letters. The security levels noted above (10-50) frequently allowed the use of the low-level 30, with "numerous known exploits."(10)

Several valuable features had worrisome security implications. Built in to the i5/OS operating system was a powerful database, which facilitated the system's wide use in such fields as banking, retail, and health care. But the consequence was that "every user who has a valid user ID and password . . . can access the database system." For instance, typically "every (bank) teller can read and modify every account" while in retail establishments each and every valid user "can read and use credit card numbers" stored in the database. The introduction of built-in TCP/IP networking support, with factory settings "ready to talk with the outside world," had vast security implications. Remote users could log in and use such software applications as FTP (File Transfer Protocol) or ODBC (Microsoft Excel Open Database Connectivity) to view and access essentially all data. (A hold-over from the earlier era that presumed all users logged in through "dumb terminals" -- these permitted only limited access to specifically identified data and effectively prevented any user from "wandering about the system and peering into places they should not be" -- meant that, with more flexible TCP/IP software, common users could easily "wonder around" the system and even change the 'permissions' of files.)(11)